security

Here’s a list of the main security and privacy related events at Barcelona (some of which I’ll be speaking at). You’ll need a specific pass to get into some of them and that is shown next to the event.

Of course plenty of the other presentations have security aspects – all the Connected Home, mHealth and Intenet of Things talks to mention but a few! Also, if you’d like to meet me, you’ll see me at a few of these events or you can email to make an appointment out there.

Another year and we’re back again. This year’s Copper Horse security dinner will take place as usual at a secret location in Barcelona on the 23rd of February. With some of the world’s leading minds in mobile security present, it’s the hottest ticket for Sunday night. Contact us if you’d like to attend, there’s a limited number of places. As always, we split the bill at the end.

I’ll once again be judging in the Global Mobile Awards “Best Mobile Identity, Safeguard & Security Products/Solutions” category this year. The deadline for entry submissions is Friday, the 29th of November 2013 at 5pm (GMT). The shortlist will be announced in January 2014 and the awards will be presented at Mobile World Congress.

If you’re planning to enter, there’ll be a live Q&A on the awards on Friday, November the 8th. Follow the GSMA’s twitter account @GSMA and the hashtag #GMA14 for more details!

If you want to show off your organisation’s success and innovation in the world of telecoms, please enter at the awards page: www.globalmobileawards.com

Join me on Friday the 11th at 3pm (UK), 7am (PDT), 10am (EDT) for a discussion via linkedin on the topic of mobile security. I’ll be talking about everything from mobile phone theft and fingerprint scanners, to what the future could hold.

More details here. So hopefully see you all there. If you can’t make it, have a look at this book if you’re interested in the topic.

Just a few days ago I wrote about some of my concerns on biometrics, after the launch of the fingerprint scanner ‘TouchID’ on the iPhone 5S. It appears that they may have been well-founded. The Chaos Computer Club in Germany have released a blog and video which seems to show TouchID being broken by a fake fingerprint. Back to the drawing board again on biometrics? Watch the video for yourself below:

So, here we are. Another iPhone launch and seemingly even less features. The September 10th launch of the iPhone 5S brings the only physical feature of note: fingerprint scanning via “Touch ID” which is built into the main button of the phone (an elegant way of doing it by the way). This turn of events is more about a push by Apple towards acceptable secure m-payments and stronger user authentication for the web and app store rather than just being completely about access control to the device itself. I’m pretty sure that there’s a strong pull from the business / enterprise sector as well for this kind of technology. In my experience, senior management seem to quite like things they’ve seen in a sci-fi film such as palm-print security access and voice recognition in front of big strong-room doors. Perhaps a blue LED or two to top it off. That of course, is real security. Not.

Just like in the movies! It must be secure!

So what does this technology really bring us and why hasn’t it been implemented before? Let’s concentrate on just the access control piece here.

Leaving your keys hanging around

Unlike PIN numbers, you leave a number of exact replicas of your fingerprints in various public places when you go about your daily business. That’s like leaving an exact imprint of your front door key over twenty times a day on things like the side of your car door, on a coffee cup and on the table of your favourite pub. In all likelihood, the back of your mobile phone probably contains a pretty good copy of your fingerprint right now. In 2008, the German interior minister Wolfgang Schauble found this out when hacktivists collected his fingerprints from a glass. And remember: once you’ve lost your fingerprint you can’t really get it back (you only have a limited number!).

There is an argument to say that most street thieves (like burglars) are not going to want a direct confrontation with the owner, but there’s also plenty of evidence of violence during mobile phone theft from people being shot or held at knifepoint, just for their phone.

One could easily imagine a scenario where the user is just forced to open up the device and remove the security protection before the criminal makes off. This scenario could just as easily be argued for users with PIN protection and it seems (from my unscientific hearsay point-of-view!) that we haven’t heard of many instances of thieves doing this. What seems to be more prevalent is either unattended theft or snatch theft where the phone is actually being used (and is therefore unlocked and ready to go).

“The number of phones found on the London Underground alone was 25,000 in 2011”

According to the Office of National Statistics’ report on Mobile Phone Theft [pdf], the Crime Survey of England and Wales for 2011/12 showed that 7 in 10 incidents of mobile phone theft were personal thefts (e.g. pickpocketing or snatch) or ‘other thefts of personal property’. These ‘others’ are defined as: “items stolen while away from home, but not carried on the person (such as theft of unattended property in pubs, restaurants, entertainment venues, workplaces etc.).”

What fingerprint biometric technology does give you is convenience, more so given that the sensor for Touch ID is built into the key that you would have to press anyway. Instead of having to make four or more finger movements and the possible engagement of brain to remember a PIN, you instead have almost instantaneous access, which when you consider how many times you have to enter your PIN into your phone every day is surely a good thing. What convenience then hopefully gives you is increased adoption by users, which overall is again a good thing. Most people using fingerprint access control security than a few using a PIN is a much better situation for everyone.

However, this is certainly not all a bed of roses. Usability is a big issue once you look into it (and I’m not sure how much Apple have taken this into consideration).

Some people just simply can’t use fingerprint readers. For example, the very young, the elderly and some disabled people. In addition “False negatives” can be caused by various factors such as:

In some senses, this functionality could be regarded as socially regressive, or at least a not socially inclusive and accessible technology. These types of users must fall back to things like PIN usage to provide access control.

Technology progression

Technical details of the Apple solution are not clear, but a lot of fingerprint technologies have failed in the past and I am sure that this one will come under intense scrutiny by security researchers. I have demonstrated the “gummy finger” attack against an optical fingerprint scanner myself at conferences and in lectures, even creating a working latex ‘replacement’ fingerprint aka ‘Diamonds are Forever’.

Researchers have even gone as far as ‘lifting’ fingerprints, reversing the image (to get it back to the right way round) and etching them in order to create a pattern for new, usable replicas (see the gummy finger link above for more details). Other researchers have also defeated ‘liveness’ or pulse detection too.

Summary

So what do I really think? I think for high-end enterprise use cases (one area that Apple has been really going after in the past couple of years), this does make sense. I can imagine a CEO complying with that kind of policy more than a mandatory very long PIN or password. If they’re really important people though, you can certainly imagine them being targeted to copy their fingerprints as I mentioned at the beginning.

For your average user, maybe just maybe, the convenience aspect will make this a success. What that would mean is more devices secured at rest (i.e. left on café tables), so an opportunistic thief would not be able to get immediate access. It could even provide a different, potentially more secure way of authenticating to banking and payment services over the web or in a shop. I truly hope that users do not become the targets of more violent assaults where they are forced to give fingerprint access to their device.

Lastly, I hope that the Apple security engineering team have done their job correctly. At the end of the day, your fingerprint is translated into 1s and 0s. A representation of this has to be stored on the device in some way. Each time you access your phone, your data is then processed through an algorithm to get compared. If that is not done properly using secure hardware, then there’ll be another set of people producing hacking tools to address a new market for criminals to get around the fingerprint protection. The first commercially sold fingerprint scanner on a phone that I remember was in 2004 in the GI100,a PanTech device that was released in Asia. I looked into and rejected fingerprint scanning as a possibility for mobile phones at Panasonic in 2005 for many reasons (not least the processing capability needed). Nearly 10 years later it’ll be interesting to see whether it really is a useful security technology or just simply a movie-inspired gimmick.

Next week I’ll be heading over to Las Vegas for the world’s biggest security and hacking conferences; Blackhat and DEFCON. Here’s a short run-down of some presentations and briefings that are related to mobile. Obviously there are many others that may also be relevant to mobile (e.g. SSL attacks or HTML5). As you can see, mobile interest is again steadily going up, as well as in other embedded platforms such as automotive and in-home systems. It looks like it is going to be a pretty interesting, if slightly scary week!

A number of articles on mobile phone theft in the papers this weekend (20-21st July 2013). Regular readers will know that I’ve spoken quite a lot about phone theft in the past and at various events.

Snatch thefts are particularly high because the phone is ‘active’ at that point and not locked

The Daily Mail discusses the fact that Apple will publish the update later this year which will enable the “authentication lock” feature which will prevent the re-enablement of stolen phones after theft. It also mentions that GPS won’t be able to be disabled and the phone wiped – common methods used by thieves to prevent tracking of phones and one which also encouraged snatches of ‘active’ devices.

In the Daily Telegraph, Boris Johnson apparently said “Each of your companies promote the security of your devices, their software and information they hold, but we expect the same effort to go into hardware security so that we can make a stolen handset inoperable and so eliminate the illicit second-hand market in these products”.

This is badly off the mark – the problem is not the hardware security (this was addressed years ago and the work was acknowledged by the Home Secretary in 2008). The real problem is the export of devices – they are not blocked outside the UK so can continue to be used. This has nothing at all to do with hardware security, but it has everything to do with the ability to disable devices globally.

Other countries such as the US have only recently joined the party, claiming massive new street theft problems. The truth is this – phone theft will have always been a problem but it has only been recently that high profile violent robberies have forced them into action. What have the authorities been doing for the last ten or so years?

Apple’s authentication lock is not a kill switch

The terminology being used by politicians and the media is incorrect – preventing access to services is actually the opposite of reaching out and telling a device to ‘die’. Creating a real kill switch like that could in itself become a security problem. Imagine being able to turn off every phone in the world?

The reality is that the functionality for an “authentication lock” has only been technically possible in the past 5 years, because previously the manufacturer would have virtually no relationship with the customer. These days all the major OS providers ask users to sign up for an account with them to access services – and that’s the key. A relationship with the end user means that they can take action because they know when that phone gets used post-theft.

In the past, this simply wasn’t possible for the network operators. No operator (as far as I know) has presence in every country in the world, so it wouldn’t usually see a phone if it had been exported. Yes, the IMEI (identity of the device) could technically be shared with a global database called the Central Equipment Identity Register, but that one piece of data is not reliable for many reasons including a rash of counterfeit devices in some countries. However if a phone has to connect home over the web, it allows a lot of information to be checked and even shared with the rightful owner. Although it is not fool-proof, it is the right thing to do as it makes the phone less attractive to a thief. It does raise a question for the Android manufacturers particularly. Will they now ask Google to provide this functionality for them, or somehow try and build it into their own anti-theft find-and-locate apps (which will not be as robust as putting this in at the OS level)?

Next steps

Assuming the industry gets this right (and I hope they do), the ball will be back in government and Police hands. With rising theft figures, it is very easy to blame the manufacturers and operators. In reality this is a complex and largely social problem – people are still going to snatch expensive mobiles and try to use them to pay for things / use their functions etc and sell them. There’ll be a new, lucrative challenge for the cracking community to disable things like authentication lock. Up until 2011, the UK was the only country that had really done lots of things to help address theft in a proper manner including:

education for young people (youth-on-youth crime is very high)

posters in high crime areas like London

legal measures (making it illegal to change the IMEI number and possess the equipment to do so)

Bring Your Own Device (BYOD) is proving to be a big challenge among business directors. Many employers are looking to the idea of their employees taking their own mobile phones with them to work, for use in the day job.

Last week, I attended two events, both of which have featured BYOD as the subject of focus. The first of these was the Mobile Monday panel discussion: BYOD – A Faustian Pact? Held at Centre Point in London, Copper Horse Director, David Rogers, was chairman for the session and panelists were from companies such as Blackberry and Telefonica O2. The greatest aspect of the discussion was, in addition to the interesting points raised by the panel, the interactivity between themselves and an audience that was one of the most active I’ve seen. It provided some stimulating talk, which was occasionally partitioned by an audience show of hands on questions such as “Do you regularly use mobile banking?”. What was surprising to me was that the majority of the audience raised their hand to that.

The primary reasons behind implementing BYOD are to: increase flexibility, improve productivity and reduce cost for the organisation by not having to purchase ‘work phones’ for staff. However, there are important issues to consider for decision makers. And after attending these events, here are my thoughts on the subject:

BYOD is a balance of trust – A big question mark before embarking on implementing the idea of BYOD is – do employers trust their employees enough? Employers must expect and believe that their staff are capable of using their devices to an acceptable standard, be it at work, from the basics of refraining from making personal calls to not engaging in dangerous or illegal activities, or on a more general level, by having the nous to make sure that their device is as safe as it can be from outside threats. However, this all comes down to a piece of paper – the policy that’s written and implemented by the company and signed up to by the employee. In truth, employers are just giving in to the reality of the fact that their staff are bringing in their own devices anyway and the company has no control whatsoever.

BYOD is a balance of separation between work and home life – One of the largest considerations for an employer is that their employees’ work and home lives do not intertwine to a great extent. Of course, this depends on the role. For some staff, normally lower down the ladder of employment, it is a case of when the clock hits 5pm, work for the day is over and can be resumed at 9am the following day. But for other individuals, be it company directors or those whose job requires them to be ‘on call’, work becomes more of a continuous element of their lives. For the former, having work-related emails and calls coming through at hours when an employee is meant to have finished work for the day is a problem that needs to be considered. So where is the line drawn between work and play?

App permissions are a large consideration for employers seeking to implement BYOD– It’s not so much about what type of apps that employees are downloading to their phones, it’s the permissions that the applications ask for upon being downloaded that is the problem. Your mobile number, contacts and location are just some of the many examples of types of information that can be gathered by a mobile app. And depending on the type of work an individual’s business carries out, employers may not be so keen to let users reveal particular data. There are data protection obligations too. Ultimately, the phone belongs to the employee, but there may be situations where restrictions need to be in place so that their work for a company isn’t compromised. This needs to be addressed via remote mobile device management tools (MDM), but is that too intrusive into the personal side of things?

Policies: A simple one-time checklist or an ever-changing nightmare? – Whilst a BYOD policy outlines the rules set by an employer which an employee must abide by, a device policy addresses the issues of what features of the phone the employee is able to use – and this is a problem when it comes to BYOD. Employees’ phones are all so different, suited on a work level for their particular role and on a non-work level in terms of personal preferences, e.g. the type of apps they download (and the sensitive access to features which come with them). So is it the case that tailored device policies are required, in conjunction with their phone settings, or is it possible to roll out a generalised device policy for all to agree by? Or is it a combination of the two, where a middle ground needs to be identified? Technology and the components of it are changing all the time, with mobile phone applications being updated regularly as well as the device, platform and browser software. So is it the case that an employee’s device policy needs to be looked at after every individual change? The word “impractical” springs to mind, particularly in a large organisation. But regular changes made to phones will include addressing security features from time to time, so whose responsibility is it to take care of security in BYOD?

The responsibility of mobile application security is still ‘up in the air’ – Following on from the previous two points, a poll was taken during the webinar, asking attendees whether they believed the responsibility of mobile app security should be down to IT departments. Over 25% of the voters answered with the option that it is down to IT. However, the remaining voters disagreed, with the majority of those saying that responsibility should be shared across more than one area. In the area of BYOD, security is surely something that users should be involved in, but is it something that they are wholly responsible for? To have each individual employee notifying their organisation about updates to their phone and how it affects their policy again seems impractical. Overall, the responsibility is definitely something that in my opinion needs to be shared, but how and exactly who with remains to be seen.

As is clear, there are a plethora of questions that need to be answered before BYOD can be implemented, regardless of a company’s size. But I suppose the ultimate question is – do the benefits outweigh the drawbacks? Another audience show of hands was taken at the conclusion of the Mobile Monday panel discussion, asking whether the advantages of BYOD outweighed the disadvantages. The advantages had it, but by a narrow margin, so this example further evidences the fact that although BYOD is being increasingly taken up by organisations, there are still major hang-ups with the idea that need to be considered meticulously by an employer before the implementation process can begin. It remains, for now, a difficult subject.Some links:

Facebook announced on Tuesday that only 660,000 of its 1 billion users responded to proposals by the site to allow changes to be made to the governing of the social networking giant. The primary modifications included; increasing the sharing of data between its services, making the rules regarding who can message users more lax and removing the voting system. These refer to every version of Facebook, including the mobile application.

On the face of it, a turnout of 0.06% is a very small figure. And considering that most of the points that the proposals were setting out are security and privacy related, it begs the immediate question; do Facebook users really care about their account security?

http://www.epa.gov/win/winnews/images05/0510keyboard.gif

As a young person, who has been studying a security related degree, security and privacy on social networking sites is something that I think about regularly. Who is able to contact me? What details am I giving out? And are my embarrassing photos only being limited to a particular number of people or are they being made public?

So why didn’t I answer? I’ve had a Facebook account for a while now. But my allegiances to social networking sites have now switched. Twitter, the growing threat to Facebook, now occupies most of my networking time, so it seems I’ve deemed Facebook to be second in importance in this department. And with a reduction in its value to me, Facebook’s changes to my account fall to the bottom of my ‘to-do list’.

Speaking to my friends about it, they were saying much of the same. For many of them, Twitter is their new top social networking site, so they’re more interested in the security of that rather than Facebook now. It was too time consuming and a response would have been made if longer had been given to answer were other reasons given also. Some simply didn’t care.

But although the impression gathered from the response to the poll is that the changes involved are not important to users, approximately 90% of the respondents to the proposals were against planned changes. So does this actually mean the opposite? If people actually do care about security, why are they so against the changes? A 0.06% response rate might appear small at first, but considering Facebook’s global popularity, it is in fact a sizeable number of people. After all, online petitions to the UK government are gated at only 100,000 respondents.

In my opinion, people are fed up with data sharing to third parties becoming such a prominent feature of Facebook. Details put on the site by users are in the majority of cases for their friends and only for their friends, not for Facebook and the extended services offered, such as advertising. It could also be that there’s a growing element of mistrust between the users and the online giant. Some feel that they cannot trust the social network and may think the changes are one too many. Users are so worn down that they feel their voices won’t be heard anyway, so just resign themselves in apathy, in the hope that they’ll be able to one day export their photos and friends and finally get out.